Introduction

L7-filter is a packet classifier for Linux. Unlike most other classifiers, it does not just look at simple values such as port numbers. Instead, it does regular expression matching on the application layer data to determine what protocols are being used.

Since this classifier is much more processor and memory intensive than others, we recommend that you only use it if you have reason to believe that matching by port (or IP number, etc.) is insufficient for your purposes. L7-filter is right for you if you need:

layer7-protocol is a method of searching for patterns in ICMP/TCP/UDP streams.

L7 matcher is collecting first 10 packets of connection or first 2KB of connection and searches for pattern in collected data. If pattern is not found in collected data, matcher is not inspecting further. Allocated memory is freed and protocol is considered as unknown. You should take into account that a lot of connections will significantly increase memory usage. To avoid it add regular firewall matchers to reduce amount of data passed to layer-7 filters.

Additional requirement is that layer7 matcher must see both directions of traffic (incoming and outgoing). To satisfy this requirement l7 rules should be set in forward chain. If rule is set in input/prerouting chain then the same rule must be set also in output/postrouting chain, otherwise collected data may not be complete resulting in incorrectly matched pattern.